I am not a computer expert, although I am an experienced user. Maybe there is a simple explanation for it:
There is sth. on my computer that erases Spybot + Ccleaner. First it makes the Desktoplink disfunctional, then it erases the active program. I have used the most recent Spybot and AdAware and Avira and PrevX1, but the problem remains. I downloaded Spybot + Ccleaner several times, with the same erasing result.

Every day when I start my computer, I delete the disfunctional Antivir (AVIRA), CCleaner and Spybot S&D. Then I download and instal them all again. The found malware etc. are deleted. So now my computer should be quite clean.

Then for a time these three programs work fine. An hour or so later when starting the programs up they seem to start up properly for a second (or less), and then the started up window just disappears.

Later when starting them up the active program cannot be found.
First the CCleaner stops working, and the program file appears to be renamed, and later deleted.
Some time later, Spybot and Avira stop working, and the .exe files in their folders appear to be changed.

I really would appreciate some help in this.

Hello sternenkase,

Welcome to Safer Networking Forums :)

Oh goodie, I like surprises.....

* Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


Thanks,
tea

One other thing: on Desktop the CCleaner and Spybot icon's get changed into 'blank screen' ones.


Logfile of HijackThis v1.99.1
Scan saved at 19:35:22, on 15-1-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Kees\LOCALS~1\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvgids.nl/alleprogrammas/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - Startup: Dreamspell Calendar.lnk = C:\DREAMSP\dreamsp.exe
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documenten\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Hello,

You look to be running 3 (THREE) AntiVirus Programs. First you should know that you're actually doing more harm than good by running 3 Anti Virus programs. (AntiVir, Prevx, Computer Associates) When you do this the programs compete for resources, and the end result is none does it's best and can cause system instability. I recommend that you choose the one you want to keep, update it, disable the others, or uninstall, and use it/them as an on demand only scan occasionally.

Reboot when you're done with this and run a full scan with the one you decided to keep. Let me know of anything bad it finds, and let me know how your computer is running now, please.

Thanks,
tea

Hi Tea,
thanks for helping me.

3 Anti Virus programs:
Computer Associates was inactive, as far as I know, but is now deleted.
Avira was active, but got to malfunction as mentioned. Is now deleted.
Prevx (also active) I downloaded two days ago because of these problems, and is not affected (CCleaner, Spybot and Avira are), but finds my computer clean.

After reboot Prevx finds nothing in extensive system scan.
I deleted Spybot (uninstall did not work, perhaps because of damaged exe files from Spybot dir.), and installed it anew. Starting Spybot failed: there was only a flash of the screen showing the loading of Spybot. Then it stopped. Going to the Spybot directory and starting Spybot by clicking on the program icon failed as well. The prevx console showed that Spybot was allowed, all four times me trying to start Spybot.

Now (this moment) I tried Spybot again, there was no flash of the loading screen. In the Spybot dir. both Spybot and TeaTimer exe files failed to start anything up.

Kind regards,
Case

Hi Case,

Thanks for that. :)

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.


Thanks,
tea

Hi Tea,
Nice program, DrWeb.
Could not open DrWeb.csv from the Desktop. Pasted contents of C:\Documents and Settings\Kees\DoctorWeb\CureIt.log.
It is vast.
It was too large to be put on your website, so I deleted (from C: and from D:) a huge "SystemVolumeInformation"-section which looked all the same, and was cured. (marked as:
->
->
->)
.
Hm, still too large (went from >500,000 to 104,341 characters).
I deleted most of it, and left over the Incurables, plus some statistics.

=============================================================================
Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.10060)
Copyright (c) Igor Daniloff, 1992-2006
Log generated on: 2007-01-16, 14:56:47 [BURP][Kees]
Command-line: "C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\cureit.exe" /lng /ini:cureit_XP.ini
Operating system:Windows XP Home Edition x86 (Build 2600), Service Pack 2
=============================================================================
Engine version: 4.33 (4.33.5.10110)
Engine API version: 2.01
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crwtoday.cdb - 323 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43370.cdb - 2022 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43369.cdb - 687 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43368.cdb - 1099 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43367.cdb - 1834 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43366.cdb - 4015 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43365.cdb - 1342 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43364.cdb - 1335 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43363.cdb - 1152 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43362.cdb - 1006 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43361.cdb - 878 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43360.cdb - 988 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43359.cdb - 1205 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43358.cdb - 1139 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43357.cdb - 1302 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43356.cdb - 1332 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43355.cdb - 2456 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43354.cdb - 1283 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43353.cdb - 795 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43352.cdb - 2016 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43351.cdb - 941 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43350.cdb - 1020 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43349.cdb - 1008 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43348.cdb - 1096 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43347.cdb - 707 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43346.cdb - 1428 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43345.cdb - 1358 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43344.cdb - 694 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43343.cdb - 1186 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43342.cdb - 744 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43341.cdb - 841 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43340.cdb - 822 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43339.cdb - 1071 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43338.cdb - 989 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43337.cdb - 855 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43336.cdb - 1297 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43335.cdb - 1195 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43334.cdb - 900 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43333.cdb - 1381 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43332.cdb - 1340 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43331.cdb - 2735 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43330.cdb - 2078 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43329.cdb - 2490 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43328.cdb - 743 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43327.cdb - 958 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43326.cdb - 793 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43325.cdb - 713 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43324.cdb - 655 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43323.cdb - 655 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43322.cdb - 778 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43321.cdb - 846 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43320.cdb - 808 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43319.cdb - 764 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43318.cdb - 838 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43317.cdb - 363 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43316.cdb - 730 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43315.cdb - 627 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43314.cdb - 824 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43313.cdb - 842 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43312.cdb - 830 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43311.cdb - 862 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43310.cdb - 853 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43309.cdb - 733 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43308.cdb - 708 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43307.cdb - 839 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43306.cdb - 930 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43305.cdb - 759 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43304.cdb - 721 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43303.cdb - 638 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43302.cdb - 806 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43301.cdb - 504 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crw43300.cdb - 24 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crwebase.cdb - 78674 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\cwrtoday.cdb - 394 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\cwr43301.cdb - 697 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crwrisky.cdb - 1271 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\cwntoday.cdb - 498 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\cwn43306.cdb - 781 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\cwn43305.cdb - 752 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\cwn43304.cdb - 793 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\cwn43303.cdb - 766 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\cwn43302.cdb - 850 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\cwn43301.cdb - 772 virus records
[Virus base] C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\crwnasty.cdb - 4867 virus records
Total virus records: 168644
Key file: C:\DOCUME~1\Kees\LOCALS~1\Temp\RarSFX0\cureit.key
License key number: 0000000010
Registered to: Dr.Web CureIt Project
License key activates: 2005-03-05
License key expires: 2007-03-05

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 0
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 0 Kb/s
Scan time: 00:00:00
-----------------------------------------------------------------------------


Objects scanned: 295
Infected objects found: 2
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 2
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 2360 Kb/s
Scan time: 00:00:32
-----------------------------------------------------------------------------


[Scan path] E:\
-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 119026
Infected objects found: 3357
Objects with modifications found: 0
Suspicious objects found: 1
Adware programs found: 1
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 9
Objects cured: 3313
Objects deleted: 44
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 78 Kb/s
Scan time: 00:36:01
-----------------------------------------------------------------------------

C:\Documents and Settings\Kees\Bureaublad\SmitfraudFix\SmitfraudFix\Process.exe - incurable - moved
C:\Program Files\Prevx1\UISysRest.dll - incurable - moved
C:\System Volume Information\_restore{4252F9A0-FD2C-4B9A-8ABF-648726791F43}\RP223\A0050086.exe - incurable - moved
C:\System Volume Information\_restore{4252F9A0-FD2C-4B9A-8ABF-648726791F43}\RP225\A0051660.exe - incurable - moved
C:\System Volume Information\_restore{4252F9A0-FD2C-4B9A-8ABF-648726791F43}\RP225\A0051662.exe - incurable - moved
C:\System Volume Information\_restore{4252F9A0-FD2C-4B9A-8ABF-648726791F43}\RP226\A0052128.exe - incurable - moved
C:\System Volume Information\_restore{4252F9A0-FD2C-4B9A-8ABF-648726791F43}\RP226\A0052976.exe - incurable - moved
C:\System Volume Information\_restore{4252F9A0-FD2C-4B9A-8ABF-648726791F43}\RP227\A0053742.exe - incurable - moved
C:\System Volume Information\_restore{4252F9A0-FD2C-4B9A-8ABF-648726791F43}\RP227\A0054344.exe - incurable - moved
C:\System Volume Information\_restore{4252F9A0-FD2C-4B9A-8ABF-648726791F43}\RP229\A0055087.exe - incurable - moved
C:\WINDOWS\system32\Process.exe - incurable - moved

=============================================================================
Total session statistics
=============================================================================
Objects scanned: 119321
Infected objects found: 3359
Objects with modifications found: 0
Suspicious objects found: 1
Adware programs found: 1
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 9
Objects cured: 3315
Objects deleted: 44
Objects renamed: 0
Objects moved: 11
Objects ignored: 0
Scan speed: 111 Kb/s
Scan time: 00:36:33
=============================================================================

Kind regards,
Case

Hello Case,

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

How are things running now? :)

Thanks,
tea

Hi Tea,
Things get better: CCleaner works now normally, the yesterday installed version. Spybot, the yesterday installed version, went defective, so uninstalled defective version, reinstalled anew, uploaded new virus detection files: It worked normally, and found no malware.

Blacklight found nothing:

01/16/07 22:08:25 [Info]: BlackLight Engine 1.0.55 initialized
01/16/07 22:08:25 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/16/07 22:08:25 [Note]: 7019 4
01/16/07 22:08:25 [Note]: 7005 0
01/16/07 22:08:29 [Note]: 7006 0
01/16/07 22:08:29 [Note]: 7011 1564
01/16/07 22:08:29 [Note]: 7026 0
01/16/07 22:08:30 [Note]: 7026 0
01/16/07 22:08:36 [Note]: FSRAW library version 1.7.1021
01/16/07 22:10:36 [Note]: 2000 1012
01/16/07 22:10:36 [Note]: 2000 1012
01/16/07 22:10:36 [Note]: 2000 1012
01/16/07 22:10:36 [Note]: 2000 1012
01/16/07 22:11:23 [Note]: 7007 0


ComboFix:
"Kees" - 07-01-16 22:11:55 Service Pack 2
ComboFix 07-01-16.2 - Running from: "C:\Documents and Settings\Kees\Bureaublad"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\g32.txt
C:\WINDOWS\s32.txt
C:\WINDOWS\ws386.ini
C:\WINDOWS\trace


((((((((((((((((((((((((((((((( Files Created from 2006-12-16 to 2007-01-16 ))))))))))))))))))))))))))))))))))


2007-01-16 21:48 <DIR> dr-h----- C:\DOCUME~1\Kees\Onlangs geopend
2007-01-16 14:56 <DIR> d-------- C:\DOCUME~1\Kees\DoctorWeb
2007-01-15 22:39 <DIR> d-------- C:\Program Files\CCleaner
2007-01-13 04:19 <DIR> d-------- C:\Program Files\CCleanerDisfunctional
2007-01-12 20:55 9,728 --a------ C:\WINDOWS\system32\drivers\pxscinst.dll
2007-01-12 20:55 7,680 --a------ C:\WINDOWS\system32\drivers\pxinst.dll
2007-01-12 20:55 7,552 --a------ C:\WINDOWS\system32\drivers\pxcom.sys
2007-01-12 20:55 274,688 --a------ C:\WINDOWS\system32\drivers\pxfsf.sys
2007-01-12 20:55 18,560 --a------ C:\WINDOWS\system32\drivers\pxtdi.sys
2007-01-12 20:55 13,952 --a------ C:\WINDOWS\system32\drivers\pxrd.sys
2007-01-12 20:55 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2007-01-12 20:55 100,864 --a------ C:\WINDOWS\system32\drivers\PxEmu.sys
2007-01-12 20:55 <DIR> d-------- C:\Program Files\Prevx1
2007-01-12 20:55 <DIR> d-------- C:\DOCUME~1\Kees\Application Data\Prevx
2007-01-12 20:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Prevx
2007-01-11 03:20 360 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-11 03:19 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-11 03:19 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-11 03:19 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-11 03:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-11 03:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-11 03:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo! Companion
2007-01-11 02:31 <DIR> d-------- C:\Program Files\Yahoo!
2007-01-10 16:21 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-10 16:21 <DIR> d-------- C:\Program Files\Spyware Doctor


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-15 20:55 33046 --a------ C:\DOCUME~1\Kees\Application Data\wklnhst.dat
2007-01-10 23:21 17408 --a------ C:\WINDOWS\system32\drivers\USBCRFT.SYS


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="csvxl.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\partnershipreg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


Completion time: 07-01-16 22:12:59

HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 22:41:13, on 16-1-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Kees\LOCALS~1\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - Startup: Dreamspell Calendar.lnk = C:\DREAMSP\dreamsp.exe
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documenten\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe (file missing)
O23 - Service: CA License Server (CA_LIC_SRVR) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe (file missing)
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Both the Blbeta and the combofix made the InternetExplorer window close. After these two programs InternetExplorer started up with a changed standard first page, changed to an MSN site. Strange.

:red: things are clearing up a bit. That's very nice.
Kind regards,
Case

Dear Tea,
It seems to me, but as told I am no computer expert, that everything works fine, including Spybot.
I would like to thank and congratulate you (and shake hands), but you are the healer:bow:, and I await your opinion.
Kind regards,
Case

Hello Case,

When some of these tools are run they set hijacked homepages back to the default value, in this case MSN. You should have been able to change it to anything you like now. :) I'm so glad things are better. :bigthumb:

Still a couple of things to do and look at.

Use Windows Search (Start > Search > For Files or Folders), to search for the following file:
csvxl.exe

Please go to VirusTotal (]http://www.virustotal.com/) and submit the file for a scan and post the results in your next reply.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O1 - Hosts: localhost 127.0.0.1
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Reboot your computer.

In your reply, please post the report from VirusTotal and a new HijackThis log. Still running all right? :)

Thanks,
tea

How do you do Tea,
(as an alternative to Hi Tea, which did sound a bit strange. Yesterday on the Gilmore Girls there was a High Tea organized, so I understood why the sound ringed a bell. I also found 'howdy', but being no cowboy I find I'm not in the position to say this to a possibly real Texan cowgirl)

Was unable to find csvxl.exe, also not as hidden file. I'm not doubting you, but to be able to locate this file I did a Google search, and could find csvxl.exe only where you wrote it in this thread.
I did find both the files you mentioned, found by HJT, but hesitated to undertake the action you proposed, since I have no idea what I am doing, since not finding the csvxl.exe.

System is running quite fine still. CCleaner and Spybot are ok.
Kind regards,
Case

Hello Case,

Fixing those two entries with HijackThis per my previous instructions still applies, and glad that the file in question is gone. I had to be sure.:)

Howdy would have been acceptable! I am in Texas, and I do live on a small farm with chickens, goats, and a pony even. ;)

In you rreply, please confirm that those two entries are gone so we can wrap this up! :bigthumb:

Regards,
tea

Howdy Tea,
Done as asked.

Logfile of HijackThis v1.99.1
Scan saved at 3:05:39, on 18-1-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\DOCUME~1\Kees\LOCALS~1\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvgids.nl/alleprogrammas/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - Startup: Dreamspell Calendar.lnk = C:\DREAMSP\dreamsp.exe
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documenten\Settings\partnership.dll (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe (file missing)
O23 - Service: CA License Server (CA_LIC_SRVR) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe (file missing)
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

(I don't know if I get another chance:)
Thank you, Thank you, Thank you.
Everything works fine, and I love you.
I wish you all the best, enlightenment, and a good life.
Hug (a good hug),
Kind regards,
Case
:band:

He he he....you do indeed get one last chance.

If there are no further problems :

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm), ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=dbtopnav_za), or Outpost (http://www.agnitum.com/products/outpostfree/download.php)
A tutorial on understanding and using firewalls may be found here (http://www.bleepingcomputer.com/forums/tutorial60.html).

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here (http://www.bleepingcomputer.com/forums/tutorial49.html).

SpywareGuard (http://www.javacoolsoftware.com/spywareguard.html)
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here (http://www.bleepingcomputer.com/forums/tutorial50.html).

A tutorial on using Spybot to remove spyware from your computer may be found here (http://www.bleepingcomputer.com/forums/tutorial43.html). Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm)

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Don't forget to run only one antivirus real time protection at a time. Keep those others disabled, or uninstall to prevent problems.

Lastly, please take care.
tea http://i135.photobucket.com/albums/q150/teacup61/hello.gif

Goodbye Tea.
Things are fine now. The computer does not make strange background sounds of activity anymore. There is peace. Peace on earth as it is on my computer.
Thanks for the recommendations on spyware/browser etc. I will investigate any of them.
I loved this. I really feel you do these things from the heart, and with joy, and there is nothing more valuable than that. I think you're great.
Thank you,
Case
:banana:

Glad we could help, as the problem appears to be resolved this topic has been archived.